0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 20:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe
Size

337KB
MD5

2b3928ee3832af556817324a99e42026
SHA1

03a5475b6a17715ee792422e56f52fa50939fb27
SHA256

0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2
SHA512

f692294f556f260ce402e6dd4092dc6ec89ace883b07e4d14f77c2d2736973ef6a9bf159d861dd2de4b7625a8bd9a06093ff09e5b9f21bdc6cbfa692b972316d
SSDEEP

6144:GmpyGv7Gkijn/XizkSXcKRZ+VDdZ9+Gg8l/yvgHocnu:GcGEzQVD5+SKv18u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe

Loads dropped DLL 1 IoCs

pid	Process
3460	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explorer.001	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe
File created	C:\Windows\SysWOW64\explorer.006	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe
File created	C:\Windows\SysWOW64\explorer.007	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe
File created	C:\Windows\SysWOW64\explorer.exe	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 884	3460	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe	80
PID 3460 wrote to memory of 884	3460	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe	80
PID 3460 wrote to memory of 884	3460	0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe	80

C:\Users\Admin\AppData\Local\Temp\0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe
"C:\Users\Admin\AppData\Local\Temp\0fe0461342a37ab23f77f44dfd2aa2f41f6545ab2eef209d29b2f6f7ea0fc5f2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\system32\explorer.exe"
  2⤵
  - Modifies registry class
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@69AB.tmp

Filesize
4KB

MD5
683f1f1e72a9fd91018e379b0f45c646

SHA1
e715798afee630bca17bd35e382626399e608788

SHA256
0770043fa8f879787c32f97e915295320738b28dc5c7a07a033df6d9ac5b4e50

SHA512
490a8fcc256fb97bdaf0ef7a243998338b3796db448874ed85613a087e16a9e1b0105af3deb57e18db253e550e5c8a0fd02dba1e52f4959937ffb6c587e3b8f5

Download Submit